Hacker News new | past | comments | ask | show | jobs | submit login

Just realizing that a phishing-attack like this is nowadays impossible in the EU: proper two-factor authentication is mandatory now (Revised Directive on Payment Services, PSD2), even just for login. TAN-codes generated for transactions need to incorporate the data of the transaction (recipient and amount), so that a phished TAN cannot be used to authorize a different transaction. I think even a simple SMS TAN may not be allowed any more (could be MITM-abused to authorize a different than the intended transaction).

Here is a summary of what customers and phishers have to face since september:


The security part of PSD2 is starting to look like another cookie law. Banks of course didn't implement any proper 2FA like U2F but rather send you scrounging for the phone with their app every time you want to look up a transaction or an account number, something that didn't require second factor until the directive.

In fact, because it makes checking recent transactions that much less convenient, it probably made me less safe because I do it much less often.

TOTP is in terms of usability not very different from PhotoTAN or ChipTAN, so I don't see how these methods aren't "proper 2FA".

U2F is a useful method, but it's not common at all (even in IT most companies don't provide it, not even the website we're on right now, nor PayPal), and it's not understandable how this isn't "proper 2FA".

In addition, the directive requiring the purpose of the code to be fixed and shown aside it, either in the app generating it, or in the push notification, is a very useful security aspect which most other 2FA solutions miss — even U2F can't differentiate between a login and a transaction authorization.

I don't like TOTP. U2F, however, is both convenient and secure. You touch a dongle, you're in, and at the same time there is no way to get access to your account without physically stealing the dongle. It's a proper second factor to a password.

Other solutions are either or. There is a benefit to confirming particular actions (with the info about the action) in the app but it's unnecessarily inconvenient for mere login.

U2F isn't widely supported but I managed to secure virtually my entire high-value Internet presence with it. Google, OVH, Coinbase, and Stripe all support it. Let's be honest, for HN I wouldn't bother with any second factor. I have the password saved in the browser and that's more than enough.

Here we have ChipTAN - I put my card into a special reader (some photodiodes plus keypad and display), hold the diode-end of the reader onto my PC display and a flickering image on the website transfers some info to the reader. On the reader I then see some info on the transaction (IBAN and amount), plus a TAN. I then enter that TAN on the banks website.

So an attacker would need to alter the image (simple) and cause a collision (hopefully difficult) or somehow abuse an error in the reader firmware.

It seems there is now a QR variant of that (which increases the attack surface since now it has to understand a more complex data format).

If my bank would have had me install an App or use SMS 2FA I would have kindly asked them to .... off (or, if they think their "2FA" is safe, just connect their mobile phones to this totally unsuspicious looking USB device).

ChipTAN on wikipedia: https://en.wikipedia.org/wiki/Transaction_authentication_num...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact